feat(core/prodtest): set HSM public keys

[no changelog]
2026-02-20 00:33:30 +01:00 · 2025-08-28 18:20:30 +02:00
parent b39ddff4e1
commit 58245dd51d
3 changed files with 48 additions and 9 deletions
--- a/core/embed/projects/prodtest/cmd/secure_channel.c
+++ b/core/embed/projects/prodtest/cmd/secure_channel.c
@@ -19,6 +19,8 @@

 #include "secure_channel.h"

+#include "memzero.h"
+
 #include "string.h"

 typedef enum {
@@ -38,11 +40,20 @@ static curve25519_key prodtest_private_key = {
    0xc8, 0x56, 0x36, 0x89, 0xf5, 0xa6, 0x70, 0x66, 0x43, 0xeb, 0xe3,
    0x7e, 0xff, 0x7a, 0x2c, 0x20, 0x31, 0x27, 0x58, 0xbe, 0x5f, 0x01,
    0xc8, 0x6f, 0x9b, 0xe7, 0xe2, 0xe6, 0x0b, 0xee, 0x7e, 0x55};
-// TODO: Generate the key on HSM and use it here.
-static curve25519_key hsm_public_key = {
-    0xcf, 0xce, 0x80, 0xf7, 0xc8, 0x7e, 0xa1, 0xe9, 0x3d, 0x0d, 0x80,
-    0x98, 0x3f, 0xec, 0xc9, 0x98, 0xa0, 0xdd, 0xb6, 0xaa, 0x7a, 0x36,
-    0x36, 0x6b, 0x6c, 0x7d, 0xd4, 0x09, 0x32, 0x5f, 0x67, 0x4b};
+static curve25519_key hsm_public_keys[] = {
+#if PRODUCTION
+    {0xba, 0x79, 0x2d, 0x15, 0xc6, 0x87, 0xb4, 0xa5, 0x31, 0xbe, 0x20,
+     0x1e, 0x88, 0x73, 0x86, 0xaa, 0x7b, 0x9f, 0x24, 0x09, 0x2d, 0xb7,
+     0x7a, 0xc9, 0x5b, 0x84, 0xee, 0xb3, 0x36, 0x66, 0x47, 0x5c},
+    {0x07, 0x7a, 0xe8, 0xf9, 0xf8, 0x83, 0x9a, 0x8f, 0x07, 0x73, 0xc4,
+     0x98, 0x89, 0x40, 0x21, 0x86, 0xf9, 0xf9, 0xa8, 0xf4, 0xb2, 0xe7,
+     0xac, 0x0e, 0xe5, 0x83, 0xa2, 0xf7, 0xe6, 0x63, 0x82, 0x54}
+#else
+    {0xcf, 0xce, 0x80, 0xf7, 0xc8, 0x7e, 0xa1, 0xe9, 0x3d, 0x0d, 0x80,
+     0x98, 0x3f, 0xec, 0xc9, 0x98, 0xa0, 0xdd, 0xb6, 0xaa, 0x7a, 0x36,
+     0x36, 0x6b, 0x6c, 0x7d, 0xd4, 0x09, 0x32, 0x5f, 0x67, 0x4b}
+#endif
+};

 bool secure_channel_handshake_1(uint8_t output[SECURE_CHANNEL_OUTPUT_SIZE]) {
  if (!noise_create_handshake_request(&noise_context,
@@ -61,14 +72,14 @@ bool secure_channel_handshake_2(
    return false;
  }

-  if (!noise_handle_handshake_response(&noise_context, prodtest_private_key,
-                                       hsm_public_key,
-                                       (const noise_response_t*)input)) {
+  if (!noise_handle_handshake_response_multiple_keys(
+          &noise_context, prodtest_private_key, hsm_public_keys,
+          sizeof(hsm_public_keys) / sizeof(hsm_public_keys[0]),
+          (const noise_response_t*)input)) {
    return false;
  }

  noise_state = SECURE_CHANNEL_STATE_2;
-
  return true;
 }

--- a/crypto/noise.c
+++ b/crypto/noise.c
@@ -335,3 +335,22 @@ bool noise_receive_message(noise_context_t *ctx, const uint8_t *associated_data,
  }
  return true;
 }
+
+bool noise_handle_handshake_response_multiple_keys(
+    noise_context_t *ctx, const curve25519_key initiator_private_key,
+    const curve25519_key responder_public_keys[],
+    size_t responder_public_keys_count, const noise_response_t *response) {
+  curve25519_key ephemeral_key_backup = {0};
+  memcpy(ephemeral_key_backup, ctx->initiator_ephemeral_private_key,
+         sizeof(ephemeral_key_backup));
+  for (size_t i = 0; i < responder_public_keys_count; i++) {
+    memcpy(ctx->initiator_ephemeral_private_key, ephemeral_key_backup,
+           sizeof(ephemeral_key_backup));
+    if (noise_handle_handshake_response(ctx, initiator_private_key,
+                                        responder_public_keys[i], response)) {
+      memzero(ephemeral_key_backup, sizeof(ephemeral_key_backup));
+      return true;
+    }
+  }
+  return false;
+}
--- a/crypto/noise.h
+++ b/crypto/noise.h
@@ -75,6 +75,15 @@ bool noise_handle_handshake_response(noise_context_t* ctx,
                                     const curve25519_key responder_public_key,
                                     const noise_response_t* response);

+// This is called by the initiator to handle the handshake response
+// This is a wrapper above noise_handle_handshake_response that allows to pass
+// multiple responder public keys, the first key that succeeds in paring is
+// used
+bool noise_handle_handshake_response_multiple_keys(
+    noise_context_t* ctx, const curve25519_key initiator_private_key,
+    const curve25519_key responder_public_keys[],
+    size_t responder_public_keys_count, const noise_response_t* response);
+
 // This is called by both the initiator and responder to send a message
 // len(ciphertext) == plaintext_length + NOISE_TAG_SIZE
 // The official Noise specification requires the associated_data to be empty